With So Many Older Bugs Around, Why Bother With Zero-Days?

Don't obsess over zero-day vulnerabilities and the highly sophisticated, targeted attacks. Attackers are more likely to exploit older, known flaws in Web applications, so focus on basic patching and security hygiene instead.

Don't obsess over zero-day vulnerabilities and the highly sophisticated, targeted attacks. Attackers are more likely to exploit older, known flaws in Web applications, so focus on basic patching and security hygiene instead.

A vulnerability patched in 2010 and another in 2009 were among the ten most frequently targeted Web vulnerabilities in April, Barry Shteiman, Imperva's director of security strategy, told SecurityWatch. Despite their age, both private and industrialized attackers continue to target these vulnerabilities, because these attack campaigns are "lucrative." The attack doesn't require buying or developing expensive zero-day exploits "as old ones that are widely available work just as well," Shteiman said.

Attackers understand that older vulnerabilities are the low-hanging fruit of Web application security. Attackers can be sophisticated if they need to, and there are tools at their disposal to craft complex campaigns. But why bother when people stick with outdated versions of Web applications or administrators don't maintain a regular patching schedule for the applications. The problem is even more prevalent among widely used applications, such as forums software, content management systems, and even e-commerce tools, Shteiman said.

Systems at RiskAll of the vulnerabilities targeted in April were injection attacks, such as file and SQL injection and have all been patched. The 2010 flaw exploited a privilege management issue in ZeusCMS 0.2 and the 2009 bug was a SQL injection in Zen Cart 1.3.8 and earlier. "Vulnerabilities never seem to die," Shteiman said.

If attackers knew of an issue in one CMS and that CMS had been installed 10 million times, looking for sites running that version of the software "makes sense," Shteiman said. It requires some judicious Google-fu and nothing much else.

Imperva provided a chart of the ten top vulnerabilities targeted, and three things pop out. The "newest" vulnerability on the list is from 2013. As can be seen by the CVSS score, the vulnerabilities themselves aren't sophisticated, highly critical flaws. And the exploits themselves aren't that complex.

There have been plenty of mass attacks against popular CMS software, including WordPress and Joomla. With enough vulnerable systems out there, it is far cheaper and easier for attackers to look for those systems instead of crafting zero-day attacks.

Increase in Injection WorldAttackers just use existing and recently discovered attack vectors over and over, Shteiman said. This is why SQL injection and cross-site scripting remain popular attack vectors. The SQLi problem was solved ten years ago, but the attack rates are still high. Cross-site scripting accounted for 40 percent of attacks over the last three months and SQL injection as 25 percent, he said.

"If we have a cure for cancer, you expect to see a decline in mortality rates. But that isn't the case for SQL injection," Shteiman said.

A quick glance at Exploit-db.com confirms Shteiman's observations. Of the seven exploits listed under Web applications, five dealt in some way with off-the-shelf software, such as WordPress, AuraCMS, or social business platform Sharetronix. XSS and SQL injection attacks were also frequently listed.

Administrators, whether they are managing sites that have millions of users each day or a site with a smaller online presence, need to ensure they regularly patch their software. Many CMS developers have simplified the update process within their software, and there are tools to help identify all the applications that have been installed. Features not being used should be disabled.

Sure, the zero-day attacks and targeted attacks are scary. But if the attackers come for your data and your site (and the odds are high someone will), don't make it easy by having holes in your software. Patch, run assessment tools, and look for suspicious behavior. Vigilance is key.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »